#!/bin/ksh # File : chk_siemens-secu-mp_setting.ksh # By : Maarten de Boer, 100427 # Subject : Check the Siemens security Measure Plans settings # #(0.1) : Copied from chk_secu-baseline_settings.ksh # : Removed IMI/SDM part #(0.2) : Added more M's #(0.3) : Added -t test #(0.4) : Added more M's #(0.5) : Added ping #(0.6) : Added M118741 & M118360 #(0.7) : Added M118580 (3.4.1) #(0.8) : Added M118270 (3.6.3) #(0.9) : Added M118148 (3.7.2) #(0.10) : Added M118885 (3.4.2) #(0.11) : Added (Siemens-)CSV-output #(0.12) : Changing the FILER-main-loopt into Measure-main-loop #(0.13) : Added M118422 #(0.14) : Added # set -x PGM="`basename $0|cut -d\. -f1`" VER="0.14" TMP="/tmp/${PGM}.$$" LOGDIR="${HOME}/log" LOG="${LOGDIR}/${PGM}.log" HOSTNAME="`hostname|cut -d\. -f1`" WARN="/tmp/${PGM}.warn.$$" MAIL="" MAILFILE="${TMP}.mailfile" MAILTO="maarten.deboer@atos.net" FILERS="${HOME}/etc/filers" SSH="/usr/bin/ssh -n" DATI="`date +%Y-%m-%d_%H-%M`" TXT="/tmp/${PGM}_${DATI}_${HOSTNAME}.txt" SSH="/usr/bin/ssh -n" FILTER="[?]*" MAXLOGSIZE=1024 # In K's CSV="/tmp/${PGM}_${DATI}_${HOSTNAME}.csv" WARNCNT=0 # Warning count TTLCNT=0 # Total count TMPCSV="${TMP}.csv" EXCLUDES="${HOME}/etc/${PGM}.excludes" MAILPERFILER="" NAGIOSPCHECKDIR="/appl/dfm/nagios/PassiveCheck/PRD" NAGIOS="" MONIDHDR="MAS.NL.1" CLASS="ZZ-Event.Storage.Storage" FILERSWLEVELS="${HOME}/etc/filer-recommended-sw.csv" TEST="" # Siemens MeasurePlan Version MPVER="V1.1" # (new) CSV # CSV_SourceID;ScanTime;ScanTarget;ScannedObject;ScanSuccess;ScanStatus;FindingID;Finding;AppAttributes;Customer;ScanEngineName;ScanEngineVersion;ProofName # CSV_SourceID="000000" # CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` # CSV_ScanTarget=${FILER} # CSV_ScannedObject="NETAPP_${MPVER}_Mxxxx" # CSV_ScanSuccess=true|false (connection with FILER / not) # CSV_ScanStatus=true/false/not set # CSV_FindingID=String (M118422_${MPVER}_FQDN) # CSV_Finding=Text (ONTAP 8.3.2P2) # CSV_AppAttributes=Record # CSV_AppAttributes_Name=Required version # CSV_AppAttributes_Value= >=8.3.2P9 # CSV_Customer=Siemens # CSV_ScanEngineName="${HOSTNAME}:${PGM}" # CSV_ScanEngineVersion=${VER} # CSV_ProofName=String # # Functions CHECK_FILER_OPTIONS() { cat ${TMP}.options.${2}|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScanTarget="${FILER}" CSV_FindingID="${2}_${MPVER}_${OPTION}" VALUE="`${SSH} ${1} options ${OPTION} | awk '{print $2}'`" if [ "${VALUE}" = "" ]; then CSV_ScanSuccess="false" else CSV_ScanSuccess="true" fi CSV_Finding="${VALUE}" let TTLCNT=${TTLCNT}+1 if [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`grep "${1}:${OPTION}=${VALUE}" ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${1}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} # Value is not OK, but excluded CSV_ScanStatus="true" CSV_Finding="(${VALUE})" CSV_AppAttributes="Exclusion" else echo "${1}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "Filer options ${1}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} if [ ${NAGIOS} ]; then NAGIOSFILE="${NAGIOSPCHECKDIR}/`date +%Y-%m-%d-%H-%M-%S`" echo "0|${PGM}: Filer options ${1}:${OPTION}=${VALUE}. Must be:${SETTO}.|MONID=${MONIDHDR}.${FILER}-SOS;CLASS=${CLASS};" >> ${NAGIOSFILE} fi # NAGIOS let WARNCNT=${WARNCNT}+1 CSV_ScanStatus="false" CSV_Finding="${VALUE}" CSV_AppAttributes="Must be:${SETTO}" fi # EXCLUDE else CSV_ScanStatus="true" CSV_Finding="${VALUE}" CSV_AppAttributes="" fi # != echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} done # Check options, per vfiler (exclude vfiler0) ${SSH} ${1} vfiler status|grep running|grep -v vfiler|awk '{print $1}'|while read VFILER do cat ${TMP}.options.${2}|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" let TTLCNT=${TTLCNT}+1 CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScanTarget="${FILER}-${VFILER}" CSV_FindingID="${2}_${MPVER}_${OPTION}" # Getting this value is different as from normal filer # Some options are not available ("No such option") VALUE="`${SSH} ${1} vfiler run ${VFILER} options ${OPTION} 2>/dev/null |tail -1|grep -v ${VFILER}|awk '{print $2} ' 2>/dev/null`" if [ "${VALUE}" = "" ]; then CSV_ScanSuccess="false" else CSV_ScanSuccess="true" fi CSV_Finding="${VALUE}" # Added: [ "${VALUE}" != "is" ] . Sometimes we get this value back from vfiler if [ "${VALUE}" != "is" ]; then if [ "${VALUE}" != "" ] && [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`grep "${1}/${VFILER}:${OPTION}=${VALUE}" ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} # Value is not OK, but excluded CSV_ScanStatus="true" CSV_Finding="(${VALUE})" CSV_AppAttributes="Exclusion" else echo "${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "vFiler options ${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} if [ ${NAGIOS} ]; then NAGIOSFILE="${NAGIOSPCHECKDIR}/`date +%Y-%m-%d-%H-%M-%S`" echo "0|${PGM}: Vfiler options ${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}.|MONID=${MONIDHDR}.${VFILER}-VST;CLASS=${CLASS};" >> ${NAGIOSFILE} fi # NAGIOS let WARNCNT=${WARNCNT}+1 CSV_ScanStatus="false" CSV_Finding="${VALUE}" CSV_AppAttributes="Must be:${SETTO}" fi # EXCLUDE else CSV_ScanStatus="true" CSV_Finding="${VALUE}" CSV_AppAttributes="" fi # != else echo "${1}/${VFILER}:${OPTION}=${VALUE}. Wrong value. Need to be checked (by hand / running script again)."|tee -a ${TMP}|tee -a ${WARN} fi # [ "${VALUE}" != "is" ] done # cat options echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} done # SSH vfiler status } USAGE() { echo "Usage: ${PGM} " echo " Version: ${VER}" echo " options :" echo " -e|--etc : Etc/filers-file (${FILERS})" echo " -f : Filter filername (${FILTER})" echo " -h|--help : this Help" echo " -m|--mail : do send Mail" echo " -n|--nagios : create ticket via Nagios (NaCl-PassiveCheck)" echo " -t|--test : Test script (files & mailing)" echo " -V : show Version" echo " -x : set -x" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --mpf : MailPerFiler (normaly all filers in 1 mail)" } ## MAIN # Check options if [ $# -eq 0 ]; then echo "No option(s) given. So not to know what to do. Exiting..."; echo; USAGE; exit 1 fi while [ $# -gt 0 ] do case $1 in -f) FILTER=$2; shift ;; -m | --mail) MAIL=1 ;; -n | --nagios) NAGIOS=1 ;; -e | --etc) FILERS=$2; shift ;; --mailto) MAILTO=$2; MAIL=1; shift ;; --mpf) MAILPERFILER=1;; -h | --help) USAGE; exit 1 ;; -t | --test) TEST=1 ;; -V) echo "${PGM}: v${VER}"; exit 3 ;; -x) set -x ;; *) echo "Option ${1} not known. Exiting..."; echo; USAGE; exit 1 ;; esac shift done if [ ! -d ${LOGDIR} ]; then mkdir -p ${LOGDIR} fi echo "`date` ${PGM} (v$VER) started."|tee -a $LOG echo "CLASS=${CLASS}" echo "ETC=${ETC}" echo "EXCLUDES=${EXCLUDES}" echo "FILTER=${FILTER}" echo "MAIL=${MAIL}" echo "MAILTO=${MAILTO}" echo "MAILPERFILER=${MAILPERFILER}" echo "MONIDHDR=${MONIDHDR}" echo "NAGIOS=${NAGIOS}" echo "NAGIOSPCHECKDIR=${NAGIOSPCHECKDIR}" echo "TEST=${TEST}" touch ${TMP} ${WARN} ${TMPCSV} # Check & move LOG-file if longer then max. LOGSIZE=`du -ka ${LOG} | cut -f1` if [ ${LOGSIZE} -ge ${MAXLOGSIZE} ]; then mv ${LOG} ${LOG}.old touch ${LOG} fi # TEST if [ ${TEST} ]; then ERRCNT=0 echo " For test, this message is send to ${MAILTO} (MAILTO) ..."| mailx -s "TEST msg" ${MAILTO} echo " For test, this message is send to ${MAILTO} (MAILTO) ..." if [ ! -f ${FILERS} ]; then echo " NO FILERS-(${FILERS})file found ..."|tee -a ${LOG} let ERRCNT=${ERRCNT}+1 fi # FILERS if [ ! -f ${LOG} ]; then echo " NO LOG-(${LOG})file found ..."|tee -a ${LOG} let ERRCNT=${ERRCNT}+1 fi # LOG if [ ${ERRCNT} -gt 0 ]; then echo " ${ERRCNT} errors. So exit(4) ..."|tee -a ${LOG} exit 4 else echo " ${ERRCNT} errors. So exit(0) ..."|tee -a ${LOG} exit 0 fi fi # TEST touch ${TMP}.excludes if [ ! -f ${EXCLUDES} ]; then echo "`date` No ${EXCLUDES} found. So NO excludes will be made."|tee -a ${LOG} else # Remove # from .excludes-file echo "`date` ${EXCLUDES} found. Will be used."|tee -a ${LOG} cat ${EXCLUDES} |grep -v ^# >> ${TMP}.excludes fi # {EXCLUDES} # Create header for .csv-file echo "# CSV_SourceID;ScanTime;ScanTarget;ScannedObject;ScanSuccess;ScanStatus;FindingID;Finding;AppAttributes;Customer;ScanEngineName;ScanEngineVersion;ProofName" >> ${TMPCSV} CSV_SourceID="" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScanTarget="[-]" CSV_ScannedObject="NETAPP_${MPVER}_Mxxxxx" CSV_ScanSuccess="true|false" CSV_ScanStatus="true|false|not set" CSV_FindingID="Mxxxxxx_${MPVER}_${FILER}" CSV_Finding="" CSV_AppAttributes="" CSV_Customer="Siemens" CSV_ScanEngineName="${HOSTNAME}:${PGM}" CSV_ScanEngineVersion="v${VER}" CSV_ProofName="" echo "+ M118734 (3.1.2) Compliance With Corporate Password Policy" | tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118734 (3.1.2) Compliance With Corporate Password Policy" CSV_FindingID="M118734_${MPVER}_${FILER}" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118734 security.passwd.rules.minimum=14 security.passwd.rules.minimum.digit=1 security.passwd.rules.minimum.alphabetic=2 security.passwd.rules.minimum.symbol=1 security.passwd.rules.history=9999 security.passwd.firstlogin.enable=on security.passwd.lockout.numtries=4 security.passwd.rules.everyone=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118734" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="not set" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118422 (3.3.1) Do Not Use Outdated Software;"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118422 (3.3.1) Do Not Use Outdated Software" CSV_FindingID="M118422_${MPVER}_ONTAP" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # Must be the latest agreed, between NetApp & Atos, (P-)release of the branche WARNCNT=0 TTLCNT=0 # Get only OSversion-string (NetApp Release 8.2.3P2 7-Mode: Wed Mar 4 19:06:11 PST 2015) OSVERSION="`${SSH} ${FILER} version|cut -d\: -f1|sed 's/NetApp Release //g'|sed 's/Data ONTAP Release //g'|awk '{print $1}'`" OSBRANCH="`echo ${OSVERSION}|awk -F\. '{print $1"."$2}'|cut -dP -f1`" SWLEVEL="`grep ^${OSBRANCH} ${FILERSWLEVELS}|awk -F\; '{print $1}'`" if [ "${SWLEVEL}" = "" ]; then SWLEVEL="not found" fi CSV_Finding="${OSVERSION}" if [ "${OSVERSION}" != "${SWLEVEL}" ]; then echo "${FILER} ONTAP is ${OSVERSION}. Must be ${SWLEVEL}"|tee -a ${TMP} CSV_ScanStatus="false" CSV_AppAttributes="Must be ${SWLEVEL}" let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="true" fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="not set" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER ## ## ## echo "M118793 (3.3.2) Activate The Firewall"|tee -a ${TMP} ## echo " This option is not applicable in 7-mode."|tee -a ${TMP} ## echo "= 100 %" | tee -a ${TMP} ### echo -n "100%;" >> ${TMPCSV} ## ## echo "+ M118792 (3.3.3) Block Access To Insecure Network Services"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_ M118792 (3.3.3) Block Access To Insecure Network Services" CSV_FindingID="M118792_${MPVER}" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118792 rsh.enable=off telnet.enable=off ftpd.enable=off ftpd.explicit.enable=off tftpd.enable=off httpd.enable=off !EOF CHECK_FILER_OPTIONS ${FILER} "M118792" ROUTED="`${SSH} ${FILER} 'rdfile /etc/rc'|grep routed|awk '{print $2}'`" if [ "${ROUTED}" != "off" ]; then echo "${FILER} routed (/etc/rc) is ${ROUTED}. Must be off"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="not set" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER ## ## ## echo "+ M118741 (3.3.4) Setup And Use Siemens Signed Certificates"|tee -a ${TMP} ### Check secureadmin status is ssl is active ### Check for 'rdfile /etc/keymgr/csr/secureadmin.pem' and mark when there ## WARNCNT=0 ## TTLCNT=0 ## SSL_STATUS="`${SSH} ${FILER} 'secureadmin status'|grep ssl|awk -F\- '{print $2}'`" ## if [ "${SSL_STATUS}" != " active" ]; then ## echo "${FILER} (secureadmin) ssl NOT active. Must be active"|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## let TTLCNT=${TTLCNT}+1 ## fi ## ${SSH} ${FILER} 'rdfile /etc/keymgr/csr/secureadmin.pem' > /dev/null ## EC=${?} ## if [ ${EC} -ne 0 ]; then ## echo "${FILER} (key-file) /etc/keymgr/csr/secureadmin.pem NOT found"|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## let TTLCNT=${TTLCNT}+1 ## fi ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ## echo "+ M118272 (3.3.5) Disable SSL And Configure TLS"|tee -a ${TMP} ### All options, from filer AND Vfiler, are checked upon their value ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118272 ##ssl.enable=off ##ssl.v2.enable=off ##ssl.v3.enable=off ##tls.enable=on ##httpd.admin.ssl.enable=on ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118272" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ## echo "+ M118304 (3.3.6) Disable Insecure Secure Shell (SSH) Settings"|tee -a ${TMP} ### All options, from filer AND Vfiler, are checked upon their value ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118304 ##ssh1.enable=off ##ssh2.enable=on ##ssh.passwd_auth.enable=off ##ssh.pubkey_auth.enable=on ##telnet.distinct.enable=on ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118304" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ##echo "+ M118360 (3.3.7) Disable SNMP Versions 1 & 2 And Secure SNMP Version 3"|tee -a ${TMP} ## WARNCNT=0 ## TTLCNT=0 ### snmp community should be empty ## SNMP_COMM=`${SSH} ${FILER} 'snmp community'` ## if [ "${SNMP_COMM}" != "" ]; then ## echo "${FILER} snmp community should be empty. Is not (${SNMP_COMM})."|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## let TTLCNT=${TTLCNT}+1 ## fi ### useradmin role add (snmp_role) -a login-snmp ### useradmin group add (snmp_group) -r snmp_role ### useradmin user add (snmp_user) -g snmp_group ### useradmin user add snmp_user -p Str0ngSNMPp@ssword -g snmp_group' ## SNMP_USER=`${SSH} ${FILER} 'useradmin user list snmp_user'| grep '^Name:'|head -1|awk '{print $2}'` ## SNMP_GROUP=`${SSH} ${FILER} 'useradmin group list snmp_group'| grep '^Name:'|head -1|awk '{print $2}'` ## SNMP_ROLE=`${SSH} ${FILER} 'useradmin role list snmp_role'| grep '^Name:'|head -1|awk '{print $2}'` ## SNMP_CAPA=`${SSH} ${FILER} 'useradmin role list snmp_role'| grep 'Capabilities:'|head -1|awk '{print $3}'` ## if [ "${SNMP_USER}" != "snmp_user" ] && [ "${SNMP_GROUP}" = "snmp_group" ] && [ "${SNMP_ROLE}" = "snmp_role" ] && [ "${SNMP_CAPA}" != "login-snmp" ]; then ## echo "One (ore more) is not OK (user=${SNMP_USER},group=${SNMP_GROUP},role=${SNMP_ROLE},capa=${SNMP_CAPA}) "|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## let TTLCNT=${TTLCNT}+1 ## fi ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ##echo "+ M118371 (3.3.8) Enable Command Line Session Time-Outs"|tee -a ${TMP} ### All options, from filer AND Vfiler, are checked upon their value ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118371 ##autologout.console.enable=on ##autologout.console.timeout=300 ##ssh.idle.timeout=5 ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118371" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ##echo "+ M118346 (3.3.9) Secure File System Access Using Active Directory Or Access Control Lists (ACLs)"|tee -a ${TMP} ### All options, from filer AND Vfiler, are checked upon their value ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118346 ##wafl.default_qtree_mode=0775 ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118346" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ## ##echo "+ M118580 (3.4.1) Change Default Account Passwords"|tee -a ${TMP} ### Is a (7-mode) filer you can not see is a password has been changed. ### Therefore we need to use a "trick", by creating an update file (/etc/log/root_pwd_change.log) ### With : " root password changed" in it. ### So check if date is placed at the 1st. (do not check how long ago) ## WARNCNT=0 ## TTLCNT=0 ## PWDCHANGEDATE="`${SSH} ${FILER} 'rdfile /etc/log/root_pwd_change.log'|awk '{print $1}'`" ## let TTLCNT=${TTLCNT}+1 ## if [ "${PWDCHANGEDATE}" = "" ]; then ## echo "${FILER} root password has never been changed. Or registred in /etc/log/root_pwd_change.log"|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## else ### echo " ${FILER} in /etc/log/root_pwd_change.log is date ${PWDCHANGEDATE}"|tee -a ${TMP} ## OLDDATE="`date --date='3 month ago' +%Y%m%d`" ## if [ ${PWDCHANGEDATE} -lt ${OLDDATE} ]; then ## echo "${FILER} password date in /etc/log/root_pwd_change.log is too (3 month) old (${PWDCHANGEDATE}). Please change password and update /etc/log/root_pwd_change.log"|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## else ## echo " ${FILER} password date in /etc/log/root_pwd_change.log is OK (less then 3 month old) (${PWDCHANGEDATE})."|tee -a ${TMP} ## fi # -lt ## fi # PWDCHANGEDATE ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ##echo "+ M118885 (3.4.2) Delete Or Deactivate Unused Accounts"|tee -a ${TMP} ### List all (active & inactive) accounts ## ${SSH} ${FILER} 'useradmin user list'|grep "Name:"|awk '{print $2}'|while read NAME REST ## do ## echo -n " "|tee -a ${TMP} ## ${SSH} ${FILER} "useradmin user list ${NAME}"|gawk 'BEGIN {RS=""} ##{ ## t=0 ## while (++t<=NF) {printf "%s ", $t} ## printf "\n" ##}'file | tee -a ${TMP} ## ## done # NAME ## ## ### echo -n "na;" >> ${TMPCSV} ## ## ##echo "+ M118273 (3.4.3) Disable Anonymous Shares"|tee -a ${TMP} ### All options, from filer AND Vfiler, are checked upon their value ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118273 ##cifs.restrict_anonymous=2 ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118273" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ## ##echo "+ M118545 (3.5.1) Enable And Configure Logging"|tee -a ${TMP} ### All options, from filer AND Vfiler, are checked upon their value ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118545 ##auditlog.enable=on ##auditlog.max_file_size=10000000 ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118545" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ## echo "+ M118270 (3.6.3) Restrict Host Access To Network Services"|tee -a ${TMP} ### man na_protocolaccess ### options protocol.access access_spec [ AND | OR [ ( ] access_spec [ ) ] ... ] ### protocol is currently one of the following: rsh, telnet, ssh, httpd, httpd.admin, snmp, ndmpd, snapmirror, or snapvault. ## WARNCNT=0 ## TTLCNT=0 ## PROTOCOLS="rsh telnet ssh httpd httpd.admin snmp ndmpd snapmirror snapvault" ## for PROT in ${PROTOCOLS} ## do ## PROTSTATUS="`${SSH} ${FILER} \"options ${PROT}.enable\"|awk '{print $2}'`" ## if [ "${PROTSTATUS}" = "on" ]; then ## let TTLCNT=${TTLCNT}+1 ### echo " ${FILER} ${PROT}=${PROTSTATUS}."|tee -a ${TMP} ## ACCESSSTATUS="`${SSH} ${FILER} \"options ${PROT}.access\"|awk '{print $2}'`" ## ACCESSHOSTS="`echo ${ACCESSSTATUS}|grep 'host='`" ## if [ "${ACCESSHOSTS}" = "" ]; then ## echo "${FILER} options ${PROT}=${PROTSTATUS}. But NO host= in options ${PROT}.access (${ACCESSSTATUS})"|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## else ## echo " ${FILER} ${PROT}=${PROTSTATUS}. options ${ACCESSSTATUS} "|tee -a ${TMP} ## fi # ACCESSHOSTS ## else ## echo " ${FILER} ${PROT}=${PROTSTATUS}. So NO access check done."|tee -a ${TMP} ## fi # PROTSTATUS ## done # for ## ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ## ## echo "+ M118178 (3.6.4) Disable IPv6"|tee -a ${TMP} ### All options, from filer AND Vfiler, are checked upon their value ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118178 ##ip.v6.enable=off ##httpd.ipv6.enable=off ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118178" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ## echo "+ M118797 (3.7.1) Secure AutoSupport"|tee -a ${TMP} ### All options, from filer AND Vfiler, are checked upon their value ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118797 ##autosupport.content=minimal ##autosupport.support.transport=https ##autosupport.validate_digital_certificate=on ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118797" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ### To be checked ### autosupport.support.url= ### autosupport.partner.to [,..., ] ## ## ## echo "+ M118148 (3.7.2) Protect Stored Data With Antivirus-Software"|tee -a ${TMP} ## ### Check if VFILER (multistore) is licensed ## MULTISTORE="`${SSH} ${FILER} license|grep multistore|awk '{print $2}'`" ## if [ "${MULTISTORE}" = "not" ]; then ## MULTISTORE="" ## else ## MULTISTORE=1 ## fi # MULTISTORE ## echo " MULTISTORE=${MULTISTORE}" | tee -a ${TMP} ## ## ## ### For every system ### - A virus scanner must be used (e.g., with a server connected via NetApp interface/API (offloading virus scanning to a separate server)) ### - The virus signatures and the scanner itself must be kept up-to-date ### - with CIFS file system: On-access virus scanning on all files stored within the system must be activated ### - Only NetApp FlexVol volumes must be used because infinite volumes are not supported by the virus scanning vendors. ## WARNCNT=0 ## TTLCNT=0 ### vscan enabled ## if [ ${MULTISTORE} ]; then ## ${SSH} ${FILER} 'vfiler status'|grep running |awk '{print $1}'|while read VFILER REST ## do ## let TTLCNT=${TTLCNT}+1 ## SCANNING="`${SSH} ${FILER} \"vfiler run ${VFILER} vscan\"|grep scanning|grep disabled`" ## if [ "${SCANNING}" != "" ]; then ## echo "${FILER}/${VFILER} vscan is DISABLED. Should be enabled."|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## fi ## SCANNING="`${SSH} ${FILER} \"vfiler run ${VFILER} vscan\"|grep scanning|grep enabled`" ## if [ "${SCANNING}" != "" ]; then ## echo " ${FILER}/${VFILER} vscan is enabled"|tee -a ${TMP} ## fi ## done # VFILER ## else ## let TTLCNT=${TTLCNT}+1 ## SCANNING="`${SSH} ${FILER} \"vscan\"|grep scanning|grep disabled`" ## if [ "${SCANNING}" != "" ]; then ## echo "${FILER} vscan is DISABLED. Should be enabled."|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## fi ## SCANNING="`${SSH} ${FILER} \"vscan\"|grep scanning|grep enabled`" ## if [ "${SCANNING}" != "" ]; then ## echo " ${FILER} vscan is enabled"|tee -a ${TMP} ## fi ## fi # MULTISTORE ## ### flex volumes ## FVCNT=0 ## ${SSH} ${FILER} 'vol status'|grep online|awk '{print $1}'|while read VOL REST ## do ## let FVCNT=${FVCNT}+1 ## let TTLCNT=${TTLCNT}+1 ## FLEXVOL="`${SSH} ${FILER} \"vol status ${VOL}\"|grep flex`" ## if [ "${FLEXVOL}" = "" ]; then ## echo "${FILER} ${VOL} is NO flex volume. Not allowed"|tee -a ${TMP} ## let WARNCNT=${WARNCNT}+1 ## fi # FLEXVOL ## done # VOL ## echo " ${FILER} ${FVCNT} FlexVol's found."|tee -a ${TMP} ## ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## ## echo "+ M118193 (3.7.3) Secure The Content Of Core Dumps"|tee -a ${TMP} ## echo " This option is not available in 7-mode."|tee -a ${TMP} ## echo "= 100 %" | tee -a ${TMP} ### echo -n "100%;" >> ${TMP#CSV} ## ## ## echo "+ M118113 (3.7.4) Prevent Kerberos Passive Replay Attacks"|tee -a ${TMP} ## WARNCNT=0 ## TTLCNT=0 ### Options values ##cat << !EOF >> ${TMP}.options.M118113 ##kerberos.replay_cache.enable=on ##!EOF ## CHECK_FILER_OPTIONS ${FILER} "M118113" ## if [ ${TTLCNT} -gt 0 ]; then ## let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" ## else ## let PERC="100" ## fi ## echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} ### echo -n "${PERC}%;" >> ${TMPCSV} ## ## else # ping ## echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} ## CSV_ScanSuccess="false" ## echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} ### echo -n "No ping;" >> ${TMPCSV} ## fi # ping ## ### echo " " >> ${TMPCSV} ##done # for FILER echo "#"|tee -a ${TMP} echo "# Output (${TXT}) from ${HOSTNAME} at `date +%Y-%m-%d_%H:%M:%S` of ${PGM} version ${VER}"|tee -a ${TMP} echo "# (etc)FILERS=${FILERS}, FILTER=${FILTER}, sentMAIL=${MAIL}, MAILTO=${MAILTO} MPF=${MAILPERFILER} "|tee -a ${TMP} echo "# Ready at `date`"|tee -a ${TMP} # save the "output"(tmp) file to .out cp ${TMP} /tmp/${PGM}.out # Mail the info if [ ${MAIL} ]; then cp ${TMP} ${TXT} date|mailx -a ${TXT} -s ":${HOSTNAME}: Siemens M.P. security settings report (.TXT) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} cp ${TMPCSV} ${CSV} date|mailx -a ${CSV} -s ":${HOSTNAME}: Siemens M.P. security settings output sheet (.CSV) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} echo "`date` ${PGM}: Mailed (.TXT & .CSV) to ${MAILTO}."|tee -a ${LOG} fi # if [ ${MAIL} ] cp ${TMP} /tmp/${PGM}.txt cp ${TMPCSV} /tmp/${PGM}.csv # Cleanup rm ${TMP} ${TMP}.options.M* ${TMP}.excludes ${WARN} ${TMPCSV} echo "`date` ${PGM} (v$VER) finished."|tee -a $LOG exit 0